How to Test Your Users' Vulnerability to a CEO Fraud or Business Email Compromise Attack

On a phishing campaign, you have the ability to test your users with simulated phishing attacks, while also tracking if they will reply to these phishing attacks. Within your console, replies will be optionally recorded, and the raw data from the reply (in the form of a .eml file) will be available for you to download if you wish.

This is an important addition to your security awareness training plan that will help you to inoculate your users against Business Email Compromise or CEO Fraud. For example, what happens if your users receive an email from a cybercriminal pretending to be your CEO requesting an urgent wire transfer? Will the employee reply back to question the sender for more details or worse, simply confirm that they completed the transfer? Tracking replies in our console will allow you to see who your most vulnerable employees are.

Read the guide below, or watch our Reply-to Phishing tutorial video.

JUMP TO:
-How is the reply-to email address populated?
-What if I specified a reply-to email address in my email template already?
-Do you save ALL the information from the replies? What if my user sends in sensitive information?
-What if my user replies multiple times to the same phishing email?
-Should I track out of office replies?
-What kind of phishing email should I use for a reply-to phishing campaign?
-Where is the information for the replies recorded?
-What do the reply emails look like in the console?
-Reply-To in User Details

How it Works

You can choose to "track replies" on your phishing campaign, as shown below (1). The option to track replies will be off by default.

How is the reply-to email address populated?

The first part of the email address will be created automatically, but if you've specified a "Reply-To" name in your email template, it will use some of that information to populate the first portion of the sender email address.

For your custom reply-to domain (#2 in the image above), you can choose a domain from the list on the right to populate the reply-to email address domain, and modify the subdomain as well (by default, the subdomain will be the first part of your primary domain).

What if I specified a reply-to email address in my email template already?

If you specified a reply-to email address in your email template, but then use that template in a reply-to phishing campaign, the reply-to email address in your email template will be overwritten by your reply-to phishing campaign. This will ensure we will receive the replies from your users and will be able to show them to you in the console. 

Do you save ALL the information from the replies? What if my user sends in sensitive information?

Yes, you can choose to record all of the information from the replies (including the text of their reply, and any attachments). If you'd rather not see that information, and just record that they replied without saving the data from the reply, you can uncheck "Keep reply content for later review" (#3 in the image above). 

If you are concerned about the possibility of sensitive data being sent in, you can always delete the campaign once you record the results, or choose to not keep the replies at all. 

What if my user replies multiple times to the same phishing email?

We will only track the first reply from your user in the console. 

Should I track out of office replies?

You can choose to optionally "Track out of office replies" by clicking the checkbox next to that option (#4 in image above). If this setting is enabled, it will cause your user to fail the reply-to phishing test if our system receives an "out of office" message as a reply. By default, this setting is turned off, and "out of office" messages will not be recorded or tracked as failures.

There is a reason why you may want to track these replies in your console. You may want to see what sort of information your users are placing in their out of office message. If a hacker can receive email addresses, phone numbers, or other identifiable information from an out of office message from one of your employees, you may want to be aware of that.

Important note: If you ARE tracking out of office replies, and you're using Microsoft Exchange or Office 365, you'll want to go into your Account Settings to turn on the feature: Overwrite "From" address of phishing emails when tracking out of office replies

The reason for this setting is that some mail servers send out of office replies to the “From” address rather than the “Reply To” or “Return-Path” address, in particular, Exchange and Office 365.  In those cases, we need to set the “From” address to the reply tracking address if you wish to capture out of office messages. If you are NOT interested in capturing out of office emails or are using a mail service that sends out of office responses to the “Reply To” address (For example, G Suite), then it recommended that you keep this option off.

What kind of phishing email should I use for a reply-to phishing campaign?

You can use any of our templates with a reply-to phishing campaign, but it is best to use one that makes it enticing for the user to reply, or that prompts the user to reply, as shown below. We have a category of templates called Reply-To Only which will help get you started with phishing your users in this way. There are no links or attachments in these templates, so they will ONLY track replies from your users.

Where is the information for the replies recorded?

You can find this data in your campaign reporting area. To navigate there, click Phishing -> Campaigns ->[[name of your campaign]] -> Users -> Replied. Here you can see what users replied, and exactly what they replied with if you chose to keep the reply content in your phishing campaign. Click the arrow to view the reply, and the "letter" icon to view the phishing template originally sent to the user.

What do the reply emails look like in the console?

Below is an Example of a reply email from employee Fritz to the "CEO". Click "Download Raw Email" if you want to view the original email (including any photos/attachments/other data).

User Details

Fritz's reply will be added to his detailed user information page as well, as shown below.Back to Top